[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.
From:       Chris Steipp <csteipp () wikimedia ! org>
Date:       2014-07-31 20:17:33
Message-ID: CAKcmtDyuaT4HMke1joaVH+Ydx2Eh=0qvKjLMixX+ZaaSkf-CVQ () mail ! gmail ! com
[Download RAW message or body]

On Thu, Jul 31, 2014 at 12:35 PM, Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Hi
>
> New Security and maintenance releases for mediawiki (1.19.18, 1.22.9
> and 1.23.2) were released:
>
> http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html
>
> From the announcement, three SECURITY tagged bugs were fixed.
>
> Are CVE assignments for those already been requested, or if not, could
> you assign CVEs for these?

None have been requested or assigned.

* (bug 68187) SECURITY: Prepend jsonp callback with comment.
** This was hardening against CVE-2014-4671, I don't think CVEs are
being assigned for these?

* (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the
URL used for loading a new page in Javascript,instead of relying on
the URL in the link that has been clicked.
** Standard Dom XSS. Credit goes to Michael M.

* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage
and ParserOutput.
** This probably should get a CVE, since downstreams will all want to
patch this. We prevent iframing certain pages to prevent clickjacking
/ redressing attacks, but when those pages were transcluded into
non-protected pages, the resulting page could be iframed. Credit goes
to Kevin Israel.


>
> Regards,
> Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]